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CLAIMS 

What is claimed is: 

1. A. method for cryptographically processing data, said method comprising: 
receiving a plurality of data segments; 

selecting, for each data segment, a set of encryption information based on data 
contained, in a predetermined portion of the data segment to be encrypted; and 

encrypting each data segment using the set of encryption information selected for 
the data segment. 

2. The method of claim 1, wherein said selecting comprising: 

changing at least one of an encryption algorithm, an encryption key, and an 
encryption parameter for each data segment based on the data contained in the 
predetermined portion. 

3. The method of claim 1, wherein said selecting comprises: 
generating, for each data segment, a value from data contained in the 

predetermined portion of the data segment; and 

selecting a set of encryption information associated with the generated value, the 
set of encryption information including an encryption algorithm, an encryption key, and 
optionally an encryption parameter. 

4. The method of claim 3, wherein said generating a value comprises: 
hashing the data contained in the predetermined portion using a hash key. 

5. The method of claim 3, further comprising: 
providing an encryption table containing: 

an encryption type identifier; 
an encryption key for the encryption type; and 
an encryption parameter, 
for each entry associated with a generate value. 
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6. The method of claim 1 , wherein the predetermined portion comprises: 

a first predetermined portion for selecting a first set of encryption information, 
the first set comprising a first encryption algorithm, a first encryption key, and optionally 
a first encryption parameter; and 

a second predetermined portion for selecting a second set of encryption 
information, the second set comprising a second encryption algorithm, a second 
encryption key, and optionally a second encryption parameter. 

7. The method of claim 6, wherein said receiving comprises: 

receiving a data stream including a plurality of data packets, each data packet 
corresponding to a data segment. 

8. The method of claim 7, wherein the first predetermined portion contains data for 
a first protocol layer, and the second predetermined portion contains data for a second 
protocol layer, wherein the first protocol layer is lower than the second protocol layer. 

9. The method of claim 7, wherein the first predetermined portion is an Internet 
Protocol (IP) header of the data packet. 

10. The method of claim 9, wherein the second predetermined portion is a selected 
portion of a data field of the data packet. 

1 1 . The method of claim 9, wherein the second predetermined portion is a 
Transmission Control Protocol (TCP) header of the data packet. 

12. The method of claim 9, wherein the second predetermined portion is a User 
Datagram Protocol (UDP) header of the data packet. 

1 3 . The method of claim 6, wherein said receiving comprises : 

reading the plurality of data segments from corresponding sectors in a data 
storage device. 
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14. The method of claim 13, wherein the first predetermined portion is a first selected 
portion in a sector in a data storage device, and the second predetermined portion is a 
second selected portion in the sector. 

1 5 . The method o f claim 6, further comprising: 

encrypting the second predetermined portion using the first set of encryption 
information. 

16. The method of claim 15, further comprising: 

encrypting the remaining portion of the data segment using the second set of 
encryption information. 

17. The method of claim 1 6, further comprising: 

generating an encrypted data segment for each of the original data segments, the 
encrypted data segment having a first predetermined portion, a second predetermined 
portion, and a remaining portion, the first predetermined portion containing the original 
data in the conesponding first predetermined portion of the original data segment, the 
second predetermined, portion containing the encrypted data of the corresponding second 
predetermined portion of the original data segment, and the remaining portion containing 
the encrypted data of the corresponding remaining portion of the original data segment. 

18. The method of claim 17, further comprising: 

transmitting a plurality of encrypted data segments as a stream of encrypted data. 

19. The method of claim 17, further comprising: 

storing a plurality of encrypted data segments on a data storage device, each 
encrypted data segment corresponding to a respective data sector of the data storage 
device. 

20. The method of claim 17, further comprising: 

receiving the encrypted data including a plurality of encrypted data segments; 



24 



WO 2005/088893 



PCT/US2004/004117 



selecting, for each encrypted data segment, a first set of encryption information 
based on data contained in the first predetermine portion of the encrypted data segment; 

decrypting the encrypted data contained in the second predetermined portion of 
each encrypted data segment using the first set of encryption information selected for the 
encrypted data segment; 

selecting, for each encrypted data segment, a second set of encryption 
information based on the deci~ypted data of the second predetermined portion; and 

decrypting the remaining portion of each encrypted data segment using the 
second set of encryption information selected for the encrypted data segment. 

21. The method of claim 20, wherein said selecting the first encryption information 
comprises: 

generating a first value from the original data contained in the first predetermined 
portion of the encrypted data segment. 

22. The method of claim 2 1 , wherein said generating the first value comprises: 
hashing the data contained in the first predetermined portion using a first hash 

key. 

23. The method of claim 20, wherein said selecting the second encryption 
information comprises: 

generating a second value from the decrypted data of the second predetermined 
portion of the encrypted data segment. 

24. The method of claim 23, wherein said generating the second value comprises: 
hashing the decrypted data of the second predetermined portion using a second 

hash key. 

25. A method for cryptographically processing data, said method comprising: 
receiving a plurality of encrypted data segments, each of the encrypted data 

segments having a predetermined portion; 
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selecting, for each encrypted data segment, a set of encryption information based 
on data contained in the predetermined portion of the encrypted data segment; and 

decrypting each encrypted data segment using the encryption information 
selected for the encrypted data segment. 

26. The method of claim 25, wherein said selecting comprises: 

generating, for each encrypted data segment, a value from data contained in the 
predetermined portion of the encrypted data segment; and 

selecting a set of encryption information associated with the generated value, the 
set of encryption information including an encryption algorithm, an encryption key, and 
optionally an encryption parameter. 

27. The method of claim 26, wherein said generating a value comprises: 
hashing the data contained in the predetermined portion using a hash key. 

28. The method of claim 27, further comprising: 

providing an encryption table, the encryption table containing: 
an encryption type identifier; 
an encryption key for the encryption type; and 
an encryption parameter, 
for each entry associated with a generated value. 

29. The method of claim 25, wherein the predetermined portion comprises: 

a first predetermined portion for selecting a first set of encryption information, 
the first set comprising a first encryption algorithm, a first encryption key, and optionally 
a first encryption parameter; and 

a second predetermined portion for selecting a second set of encryption 
information, the second set comprising a second encryption algorithm, a second 
encryption key, and optionally a second encryption parameter. 
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30. The method of claim 29, wherein said receiving comprises: 

receiving an encrypted data stream including a plurality of encrypted data 
packets, each encrypted data packet corresponding to an encrypted data segment. 

3 1 . The method of claim 30, wherein the first predetermined portion contains data for 
a first protocol layer, and the second predetermined portion contains data for a second 
protocol layer, wherein the first protocol layer is lower than the second protocol layer. 

32. The method of claim 30, wherein the first predetermined portion is an Internet 
Protocol (IP) header of the data packet. 

33. The method of claim 32, wherein the second predetermined portion is a selected 
portion of a data field of the data packet. 

34. The method of claim 32, wherein the second predetermined portion is a 
Transmission Control Protocol (TCP) header of the data packet. 

35. The method of claim 32, wherein the second predetermined portion is a User 
Datagram Protocol (UDP) header of the data packet. 

36. The method of claim 29, wherein said receiving comprises: 

reading the plurality of encrypted data segments from corresponding sectors in a 
data storage device. 

37. The method of claim 36, wherein the first predetermined portion is a first selected 
portion in a sector in a data storage device, and the second predetermined portion is a 
second selected portion in the sector. 

38. The method of claim 29, wherein data contained in the second predetermined 
portion of the encrypted data segment has been encrypted using the first set of encryption 
information. 
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39. The method of claim 38, wherein data contained in the remaining portion of the 
encrypted data segment has been encrypted using the second set of encryption 
information. 

40. An apparatus for cryptographically processing data, comprising: 

an input buffer adapted to receive data including a plurality of data segments; 

an encryption module adapted to encrypt each data segment; 

a controller coupled to said input buffer and said encryption module, said 
controller being adapted to select a set of encryption information for each data segment 
based on data contained in a predetermined portion of the data segment to be encrypted; 
and 

an output buffer coupled to said controller and said encryption module, said 
output buffer being adapted to output encrypted data including a plurality of encrypted 
data segments. 

41. The apparatus of claim 40, wherein said controller changes at least one of an 
encryption algorithm, an encryption key, and an encryption parameter for each data 
segment. 

42. The apparatus of claim 40, wherein said encryption module comprises: 

a plurality of encryption engines, each encryption engine corresponding to a 
respective encryption algorithm. 

43. The apparatus of claim 40, wherein said encryption module further comprises: 
a data buffer coupled to each of the plurality of encryption engines. 

44. The apparatus of claim 40, wherein said controller comprises: 

a data selector adapted to select a predetermined portion of each data segment; 

an encryption selector coupled with said data selector, adapted to select a set of 
encryption information in accordance with data contained in the predetermined portion, 
the set of encryption information including an encryption algorithm, an encryption key, 
and optionally an encryption parameter; and 



28 



WO 2005/088893 



PCT/US2004/004117 



an encryption controller adapted to select and activate an encryption engine based 
on the encryption information. 

45. The apparatus of claim 40, wherein said controller further comprises: 

a value generator coupled to said data selector, adapted to generate a value from 
the data contained in the predetermined portion. 

46. The apparatus of claim 45, wherein said value generator is adapted to hash the 
data contained in the predetermined portion using a hash key. 

47. The apparatus of claim 45, wherein said encryption controller comprises an 
encryption table containing: 

an encryption type identifier; 
an encryption key for the encryption type; and 
an encryption parameter, 
for each entry associated with a generated value. 

48. The apparatus of claim 40, wherein the predetermined portion of each data 
segment compris es : 

a first predetermined portion; and 
a second predetermined portion. 

49. The apparatus of claim 48, wherein the plurality of data segments are data 
packets in a data stream. 

50. The apparatus of claim 49, wherein the first predetermined portion contains data 
for a first protocol layer, and the second predetermined portion contains data for a second 
protocol layer, wherein the first protocol layer is lower than the second protocol layer. 

51. The apparatus of claim 49, wherein the first predetermined portion is an Internet 
Protocol (IP) header of the data packet. 
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52. The apparatus of claim 51, wherein the second predetermined portion is a 
selected portion of a data field of the data packet. 

53 . The apparatus of claim 5 1 , wherein the second predetermined portion is a 
Transmission Control Protocol (TCP) header of the data packet. 

54. The apparatus of claim 5 1 , wherein the second predetermined portion is a User 
Datagram Protocol (UDP) header of the data packet. 

55. The method of claim 48, wherein the plurality of data segments are sectors in a 
data storage device. 

56. The apparatus of claim 55, wherein the first predetermined portion is a first 
selected portion in a sector in a data storage device, and the second predetermined 
portion is a second selected portion in the sector. 

57. The apparatus of claim 48, wherein said controller comprises: 

a first encryption table for selecting the first set of encryption information based 
on data contained in the first predetermined portion; and 

a second encryption table for selecting the second set of encryption information 
based on data contained in the second predetermined portion. 

58. An apparatus for cryptographically processing data, comprising: 

an input buffer adapted to receive a plurality of encrypted data segments, each of 
the encrypted data segments having a predetermined portion; 

an encryption module adapted to decrypt each encrypted data segment; 

a controller coupled to said input buffer and said decryption module, said 
controller being adapted to select a set of encryption information for each encrypted data 
segment based on data contained in a predetermined portion of the encrypted data 
segment; and 
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an output buffer coupled to said controller and said decryption module, said 
output buffer being adapted to output decrypted data including a plurality of decrypted 
data segments. 

59. The apparatus of claim 58, wherein, said decryption module comprises: 

a plurality of decryption engines, each decryption engine corresponding to a 
respective encryption algorithm. 

60. The apparatus of claim 58, wherein, said decryption module further comprises: 
a data buffer coupled to each of th& plurality of decryption engines. 

61 . The apparatus of claim 58, wherein_ said controller comprises: 

a data selector adapted to select a predetermined portion of each encrypted data 
segment; 

a decryption selector coupled with said data selector, adapted to select a set of 
decryption information in accordance with data contained in the predetermined portion, 
the set of decryption information including an encryption algorithm, an encryption key, 
and optionally an encryption parameter; and 

a decryption controller adapted to select and activate a decryption engine based 
on the encryption information. 

62. The apparatus of claim 58, wherein, said controller further comprises: 

a value generator coupled to said dsta selector, adapted to generate a value from 
the data contained in the predetermined portion. 

63. The apparatus of claim 62, wherein, said value generator is adapted to hash the 
data contained in the predetermined portioxi using a hash key. 

64. The apparatus of claim 62, wherein, said decryption controller comprises an 
encryption table containing: 

an encryption type identifier; 

an encryption key for the encryption type; and 
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an encryption parameter, 
for each entry associated with a generated value. 

65. The apparatus of claim 58, wherein the predetermined portion of each data 
segment comprises: 

a first predetermined portion; and 
a second predetermined portion. 

66. The apparatus of claim 65, wherein the plurality of data segments are data 
packets in a data stream. 

67. The apparatus of claim 66, wherein the first predetermined portion contains data 
for a first protocol layer, and the second predetermined portion contains data for a second 
protocol layer, wherein the first protocol layer is lower than the second protocol layer. 

68. The apparatus of claim 66, wherein the first predetermined portion is an Internet 
Protocol (IP) header of the data packet. 

69. The apparatus of claim 68, wherein the second predetermined portion is a 
selected portion of a data field of the data packet. 

70. The apparatus of claim 68, wherein the second predetermined portion is a 
Transmission Control Protocol (TCP) -header of the data packet. 

71. The apparatus of claim 68, wherein the second predetermined portion is a User 
Datagram Protocol (UDP) header of th_e data packet. 

72. The method of claim 58, wherein the plurality of data segments are sectors in a 
data storage device. 
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73. The apparatus of claim 72 3 wherein the first predetermined portion is a first 
selected portion in a sector in a data storage device, and the second predetermined 
portion is a second selected portion in the sector. 

74. The apparatus of claim 58, wherein said controller comprises: 

a first encryption table for selecting the first set of decryption information based 
on data contained in the first predetermined portion; and 

a second encryption table for selecting the second set of decryption information 
based on data contained in the second predetermined portion. 

75. An apparatus for cryptographically processing data, said apparatus comprising: 
means for receiving a plurality of data segments; 

means for selecting, for each data segment, a set of encryption information based 
on data contained in a predetermined portion of the data segment to be encrypted; and 

means for encrypting each data segment using the set of encryption information 
selected for the data segment. 

76. The apparatus of claim 75, wherein said means for selecting changes at least one 
of an encryption algorithm, an encryption key, and an encryption parameter for each data 
segment based on the data contained in the predetermined portion. 

77. The apparatus of claim 75, wherein said means for selecting comprises: 
means for generating, for each data segment, a value from data contained in the 

predetermined portion of the data segment; and 

means for selecting a set of encryption information associated with the generated 
value, the set of encryption information including an encryption algorithm, an encryption 
key, and optionally an encryption parameter. 

78. The apparatus of claim 77, wherein said means for generating a value comprises: 
means for hashing the data contained in the predetermined portion using a hash 

key. 
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79. The apparatus of claim 77, further comprising: 

means for providing an encryption type identifier, an encryption Ikey for the 
encryption type, and an encryption parameter associated with a generate value. 

80. The apparatus of claim 75, wherein the predetermined portion comprises: 

a first predetermined portion for selecting a first set of encryption information, 
the first set comprising a first encryption algorithm, a first encryption key, and optionally 
a first encryption parameter; and 

a second predetermined portion for selecting a second set of encryption 
information, the second set comprising a second encryption algorithm, a second 
encryption key, and optionally a second encryption parameter. 

81. The apparatus of claim 80, further comprising: 

means for encrypting the second predetermined portion using the? first set of 
encryption information. 

82. The apparatus of claim 8 1 , further comprising: 

means for encrypting the remaining portion of the data segment using the second 
set of encryption information. 

83. The apparatus of claim 82, further comprising: 

means for generating an encrypted data segment for each of the original data 
segments, the encrypted data segment having a first predetermined portion, a second 
predetermined portion, and a remaining portion, the first predetermined portion 
containing the original data in the corresponding first predetermined portion of the 
original data segment, the second predetermined portion containing the encrypted data of 
the corresponding second predetermined portion of the original data segxnent, and the 
remaining portion containing the encrypted data of the corresponding remaining portion 
of the original data segment. 
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84. The apparatus of claim 83, further comprising: 

means for transmitting a plurality of encrypted data segments as a stream of 
encrypted data. 

85. The apparatus of claim 83 , further comprising: 

means for storing a plurality of encrypted data segments on a data storage device, 
each encrypted data segment corresponding to a respective data sector of the data storage 
device. 

86. The apparatus of claim 83, further comprising: 

means for receiving the encrypted data including a plurality of encrypted data 
segments; 

means for selecting, for each encrypted data segment, a first set of encryption 
information based on data contained in the first predetermine portion of the encrypted 
data segment; 

means for decrypting the encrypted data contained in the second predetermined 
portion of each encrypted data segment using the first set of encryption information 
selected for the encrypted data segment; 

means for selecting, for each encrypted data segment, a second set of encryption 
information based on the decrypted data of the second predetermined portion; and 

means for decrypting the remaining portion of each encrypted data segment using 
the second set of encryption information selected for the encrypted data segment. 

87. The apparatus of claim 86, wherein said means for selecting the first encryption 
information comprises: 

means for generating a first value from the original data contained in the first 
predetermined portion of the encrypted data segment. 

88. The apparatus of claim 87, wherein said means for generating the first value 
comprises: 

means for hashing the data contained in the first predetermined portion using a 
first hash key. 
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89. The apparatus of claim 86, wherein said means for selecting the second 
encryption information comprises: 

means for generating a second value from the decrypted data of the second 
predetermined portion of the encrypted data segment. 

90. The apparatus of claim 89, wherein said means for generating the second value 
comprises: 

means for hashing the decrypted data of the second predetermined portion using a 
second hash key. 

91. An apparatus for cryptographically processing data, said apparatus comprising: 
means for receiving a plurality of encrypted data segments, each of -the encrypted 

data segments having a predetermined portion; 

means for selecting, for each encrypted data segment, a set of encryption 
information based on data contained in the predetermined portion of the encrypted data 
segment; and 

means for decrypting each encrypted data segment using the encryption 
information selected for the encrypted data segment. 

92. The apparatus of claim 91, wherein said means for selecting comprises: 
means for generating, for each encrypted data segment, a value from data 

contained in the predetermined portion of the encrypted data segment; and 

means for selecting a set of encryption information associated with ^:he generated 
value, the set of encryption information including an encryption algorithm, an encryption 
key, and optionally an encryption parameter. 

93. The apparatus of claim 92, wherein said means for generating a value comprises: 
means for hashing the data contained in the predetermined portion uxsing a hash 

key. 

94. The apparatus of claim 93, further comprising: 
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means for providing an encryption type identifier, an encryption tcey for the 
encryption type, and an encryption parameter associated with a generated value. 

95. The apparatus of claim 91, wherein the predetermined portion comprises: 

a first predetermined portion for selecting a first set of encryption, information, 
the first set comprising a first encryption algorithm, a first encryption key, and optionally 
a first encryption parameter; and 

a second predetermined portion for selecting a second set of encryption 
information, the second set comprising a second encryption algorithm, a second 
encryption key, and optionally a second encryption parameter. 

96. The apparatus of claim 95, wherein data contained in the second predetermined 
portion of the encrypted data segment has been encrypted using the first set of encryption 
information. 

97. The apparatus of claim 96, wherein data contained in the remainixig portion of the 
encrypted data segment has been encrypted using the second set of encryption 
information. 
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